Commerce Department opens a public discussion on private data

Online commerce offers terrific conveniences for consumers and massive growth opportunities for retailers. But it also poses complex issues for online businesses and consumer advocates alike, particularly over the role that the federal government should play in regulating how companies handle people’s personal data.

Privacy advocates, banks, data brokers, software companies, the makers of search engines and information technology security firms all have strong opinions on the subject, some of which are rooted in ideology while others are the result of heavy investments in their business models. Complicating the matter even further is the often-conflicting approaches that federal and state regulators take.

Thus, the debate over federal data privacy laws is complex, layered and almost impossible for policy-makers to arbitrate. The differing perspectives might explain why data breach notification bills seem to languish each year in Congress and why Congress hasn't seriously considered comprehensive consumer privacy legislation in years. What’s been missing so far is an honest broker among the competing stakeholders. In recognition of the importance of that discussion, the Commerce Department has moved to enter the debate.

The department is actively soliciting input from Internet users — consumers and businesses alike — on the current regulatory framework. In just the past several weeks, Commerce has formed an Internet policy task force, held a conference and issued a public notice of inquiry, and Secretary Gary Locke has given speeches on the subject. The department is gathering public comments through June 7, and those comments will contribute to the Obama administration’s domestic policy and international engagement on Internet privacy.

People can comment on a range of topics, such as the country's legal framework for protecting privacy and ways to improve it, how the various state-level and international privacy laws affect companies and consumers, and the jurisdictional conflicts companies and regulators must deal with as a result of the plethora of data privacy laws and how that affects trade.

Big companies in particular spend a lot of money complying with the privacy laws of different jurisdictions, said Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University’s law school. As a result, he said, corporate leaders tend to establish policies stating that, when given a choice, the company must adhere to the state law that has stricter requirements.

That dynamic explains why many IT businesses, unlike many privacy and consumer advocates, favor a national law for data breach notification that would pre-empt the patchwork of state laws, some of which are stringent. They want to avoid the costs and confusion of complying with different state requirements.

Mark Bregman, Symantec’s chief technology officer, gave an example to describe the situation during a recent Capitol Hill briefing by the Internet Security Alliance and American National Standards Institute. “I live in California," Bregman said. "The servers that contain my personal data might be in North Dakota. The bank might be headquartered in New York. That leads to tremendous confusion and enormous added costs.”

Of course, there are reasons privacy advocates want to protect state prerogatives. Congress can take a long time to act, said Lillie Coney, associate director of the Electronic Privacy Information Center, while states are often good at identifying problems as they emerge.

It’s not at all clear that Commerce’s intervention will resolve this debate. But its focus on data privacy represents a marked shift from the previous administration.

“A lot of the discussions on privacy inside the government in the Bush administration were led by [the Homeland Security Department], and so you had a homeland security view on privacy,” said Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology. Having Commerce more involved should help internationally in data privacy discussions, he said.

To be sure, Commerce — as is the case with any executive branch agency — is limited in the impact it can have on federal regulations. But with lawmakers unable to settle the matter, the department represents a much-needed forum for open discussion.

“We need to take a fresh look at the policy framework that underpins the Internet economy,” Locke said in prepared remarks for the Business Software Alliance in April. “We need to ask: Are there policy nudges that can reduce impediments to e-commerce or that can spread its benefits more broadly?"